remote connection closed - ssh

simsaull00 · ‎10-19-2011

Hi guys,

I have an issue when trying to set up ssh on a 6509, strange because I think I've done the same on another chassis and it works just fine....

Anyway these are some configuration and debug outputs to help you help me

On the chassi :

#show run

aaa new-model

username admin password 7 ------

aaa authentication login default local

aaa session-id common

ip ssh logging events

ip ssh version 2

....

line vty 0 4

logging synchronous

transport input ssh

#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

#show crypto key mypubkey rsa

Key name: 6509.test.lan

Storage Device: not specified

Usage: General Purpose Key

Key is not exportable.

Key Data:

30819F31 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C4D160

339C8C44 8239A63F 8FB3A63C D958401C 75B170E9 0FF6E6D7 8FC15787 BC9F7C4C

9602FA5A 4DDC1586 F8CDFB11 7F1736C9 51249150 6D19780F 2C8F7BEA 85C8C0B2

27EB87BB BD8017AD A614866B C32BD860 E789B5B9 4BB171BB 3A6AE8DD BD25EE91

8EBC528D EFABF4DB 3D64B151 3596FB4F C50656A9 5E150423 2090C346 1D020301 0001

Key name: blabla.test.lan.serve

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010106 00036B00 30680261 00BFB899 02975015

D16E7833 EAFBAEF2 F8FDEFD7 D8A9316B F775392F 3A56910E BC0ED66D 44E2E197

5982E605 6738C617 3FA6D928 8C2856CC C2638443 DA5069A4 52273940 245B822C

84707E96 561A5089 78A3C4FB 4667FB26 1E88BD7F A9A328E3 E1020301 0001

On the client, in the same LAN :

ssh 6509.test.lan

Connection closed by 10.1.10.4

ssh 6509.test.lan -v

debug1: Reading configuration data /root/.ssh/config

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to ecore [XX.XX.XX.XX] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_rsa-cert type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: identity file /root/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

Connection closed by 10.1.10.4

telnet 6509.test.lan 22

Trying 10.1.10.4...

Connected to ecore.noc.lan.

Escape character is '^]'.

SSH-2.0-Cisco-1.25

As you can see the ssh server is running but still, the connection gets closed.

Also, I've tried to re-generate the rsa keys several times and it did not resolved anything.

Finally, on the other chassis the "show crypto key mypubkey rsa" output is :

2ndchassis#sho crypto key mypubkey rsa

Key name:2ndchassis.test.lan

Usage: General Purpose Key

Key is not exportable.

Key Data:

30819F31 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A81281

D2D19867 F1284924 9F231BC0 8804F6D5 D8736E46 04101B4C 62A89273 E35F0CE6

E478221E 1B371D5E EFAB0ABF 5335F76E 774405B6 33DA215B 8BA632E0 7F30F19B

5AB72424 1B3AD48A A5EDF830 C515D302 01271B8E 97CCC3A3 8F8028C3 6794E0D1

56BDCA1C 7F153D70 31F37B22 DB361990 C73FF5BF 8C13EB53 8140EBB0 69020301 0001

Key name: 2ndchassis.lan.server

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D61097 B6765536

329D6716 52B5C0AA 7FEF1170 C1966228 488A3415 F6D696A2 8C5724D1 8A841731

CCEE27B2 6586306A 429E24AE ADA4A54E 497718E1 504653F4 61F31AAF 01000012

3D43E518 14EF18D0 6536D524 7B4169D5 1B6C04C4 535A17DA 6F020301 0001

There is no mention of "Storage Device: not specified" like on the first chassi.

Thank you for your time and help people!

by

branfarm1 · ‎10-19-2011

What size modulus are you using for your keys? I recently ran into a problem with some 7201's where I was unable to login with SSH when I used a 4096 bit modulus. Recreating my keys at 2048 bits solved the problem.

HTH,

Brandon

simsaull00 · ‎10-20-2011

Thanks Brandon, I usually use 2k modulus, but during my testing I regenerated the keys with a 1024 and even the default 512b modulus....just in case. But it doesn't seem to be the problem here.

thx

cadet alain · ‎10-20-2011

Hi,

what happens when you ssh from a cisco device?

Regards.

Alain.

Don't forget to rate helpful posts.

simsaull00 · ‎10-20-2011

Hi Alain, this is the output from the other chassis :

#ssh 10.1.10.4

Connection to 6509 closed by remote host.

Connection to 6509 closed.

Another thing, I'm connecting to the failing chassis through telnet for now. I used the "debug ip ssh" command but i don't get any output for now, is there anything specific to do to get the outputs on the vty???

thanks

cadet alain · ‎10-20-2011

Hi,

yes to get log outputs on the vty:

-terminal monitor in privileged mode

-logging monitor debug in global config mode

Regards.

Alain.

Don't forget to rate helpful posts.

simsaull00 · ‎10-20-2011

Thanks Alain,

so this is the debug output :

Incoming SSH debugging is on

6509#

*May 5 04:32:29.789: SSH0: starting SSH control process

*May 5 04:32:29.789: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

*May 5 04:32:29.789: SSH0: protocol version id is - SSH-2.0-OpenSSH_5.5p1 Debian-6

*May 5 04:32:29.789: SSH2 0: send: len 280 (includes padlen 4)

*May 5 04:32:29.789: SSH2 0: SSH2_MSG_KEXINIT sent

*May 5 04:32:29.789: SSH2 0: ssh_receive: 848 bytes received

*May 5 04:32:29.789: SSH2 0: input: packet len 848

*May 5 04:32:29.789: SSH2 0: partial packet 8, need 840, maclen 0

*May 5 04:32:29.789: SSH2 0: input: padlen 6

*May 5 04:32:29.789: SSH2 0: received packet type 20

*May 5 04:32:29.789: SSH2 0: SSH2_MSG_KEXINIT received

*May 5 04:32:29.789: SSH2: kex: client->server aes128-cbc hmac-md5 none

*May 5 04:32:29.789: SSH2: kex: server->client aes128-cbc hmac-md5 none

*May 5 04:32:29.801: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

*May 5 04:32:29.989: SSH2 0: ssh_receive: 144 bytes received

*May 5 04:32:29.989: SSH2 0: input: packet len 144

*May 5 04:32:29.989: SSH2 0: partial packet 8, need 136, maclen 0

*May 5 04:32:29.989: SSH2 0: input: padlen 6

*May 5 04:32:29.989: SSH2 0: received packet type 30

*May 5 04:32:29.989: SSH2 0: SSH2_MSG_KEXDH_INIT received

*May 5 04:32:30.005: SSH2 0: RSA_sign: private key not found

*May 5 04:32:30.005: SSH2 0: signature creation failed, status -1

*May 5 04:32:30.005: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.10.91 (tty = 0) using crypto cipher '', hmac '' Failed

*May 5 04:32:30.005: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.1.10.91 (tty = 0) for user '' using crypto cipher '', hmac '' closed

*May 5 04:32:30.105: SSH0: Session disconnected - error 0x00

I don't understand why is my key not found...I guess this is related to "Storage Device: not specified".

6509#show crypto key storage

Default keypair storage device has been set to nvram

Is the nvram the right place to store a key?

Thanks

cadet alain · ‎10-20-2011

Hi,

maybe this is the bug they're talking about here:

http://www.gossamer-threads.com/lists/cisco/nsp/122885

Alain.

Don't forget to rate helpful posts.

simsaull00 · ‎10-20-2011

Actually yes, it does look like my problem! Thanks Alain, I'll try the workaround and let you konw.

Thanks